GHSA-v78c-4p63-2j6c: 
JavaScript vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-v78c-4p63-2j6c) was identified in moment-timezone affecting versions >= 0.1.0 and < 0.5.35. The vulnerability involves cleartext transmission of sensitive information during the timezone data download process. The issue was discovered and published on August 23, 2022, with the last update on January 12, 2023. The vulnerability affects the build process of moment-timezone when fetching timezone data from IANA's servers (GitHub Advisory).

The vulnerability is classified as CWE-319 (Cleartext Transmission of Sensitive Information) and stems from the use of an unencrypted FTP endpoint for downloading timezone data during the build process. Specifically, the build script was using an unencrypted FTP URL (ftp://ftp.iana.org/tz/tzdata-latest.tar.gz) to fetch timezone data, making it susceptible to man-in-the-middle attacks (Timezone Commit).

If an attacker intercepts the request to IANA's unencrypted FTP server during the build process, they could potentially serve malicious data that might exploit the moment-timezone tzdata pipeline or produce a tainted version of moment-timezone. While the practicality of such attacks has not been proven, the vulnerability presents a significant security risk during the build process (GitHub Advisory).

The vulnerability has been patched in version 0.5.35 by changing the FTP endpoint to an HTTPS endpoint. For users unable to upgrade, there are two workarounds available: 1) Specify the exact version of tzdata (e.g., using 'grunt data:2014d' command), or 2) Apply the patch manually before issuing the grunt command. The patch involves changing the endpoint from FTP to HTTPS and should be applicable with minor modifications to all affected versions (GitHub Advisory).